When a user stores data in a first server, and has a second server use the data stored in the first server, a protocol so called “OAuth” begins to be used. OAuth will be explained using FIG. 1, simply.
As an assumption in FIG. 1, a user stores its own data in a provider. In addition, a consumer registers itself in the provider in advance. Then, the user instructs the consumer to obtain an access right to its own data stored in the provider (step (1)). As a result, the consumer accesses the provider (step (2)), and obtains an unauthorized request token R0 from the provider (step (3)). After that, the consumer has the user redirect to the provider (step (4)). At this time, the consumer attaches the unauthorized request token R0 to Uniform Resource Locator (URL) parameters to send the unauthorized request token R0 to the provider through the user. In response to an access from the user, the provider transmits data to request the user to authorize acquisition of the access right to the provider by the consumer, to the user (step (5)). In response to receipt of the data, the user transmits notification representing the acquisition of the access right by the consumer is allowed to the provider (step (6)). Then, the provider changes the unauthorized request token R0 to the authorized request token R1, and has the user redirect to the consumer (step (7)). At this time, the provider attaches the authorized request token R1 to the URL parameters to send the authorized request token R1 to the consumer through the user.
After that, the consumer transmits the authorized request token R1 to the provider (step (8)), and obtains an access token A from the provider (step (9)). Then, the consumer obtains the data of the user from the provider by using this access token A (step (10)).
Generally, not only plural consumers but also plural providers exist, and the aforementioned processing is carried out for each combination. In addition, because the valid term is set for the access right, the same processing is carried out when the valid term is expired. This is complex for the user.
A conventional technique exists in which an intermediate authentication server is introduced in an authentication mechanism so called “OpenID” to secure the confirmation of the identity. However, this technique cannot resolve the aforementioned problem. Moreover, there is a proxy authentication. For example, a proxy authentication apparatus accesses a server that is connected through a network in response to a request from a client. In this proxy authentication apparatus, plural authentication confirmation logics exist to identify a response representing that the user authentication is incomplete. Then, the proxy authentication apparatus determines based on whether or not the response from the server matches either of the plural authentication confirmation logics, whether the user authentication is required or not. When it is determined that the user authentication is required, the proxy authentication apparatus carries out the user authentication procedure with the server according to the authentication procedure defined in advance in association with the authentication confirmation logic that matches the response from the server. This technique does not assume the situation like in the aforementioned OAuth, and cannot be applied, simply.